rancher: [BUG] CIS scan on k3s clusters running for too long before it gets completed.

Rancher Server Setup

  • Rancher version: v2.6-head(8048eee)
  • Installation option (Docker install/Helm Chart): Docker
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):

Information about the Cluster

  • Kubernetes version: v1.24.8+k3s1
  • Cluster Type (Local/Downstream): Downstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): Custom

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom) Admin
    • If custom, define the set of permissions:

Describe the bug

  • CIS k3s-cis-1.23-profile scan gets stuck into running state for about 25 mins before it gets completed.
  • security-scan-runner-scan-* pod logs:
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""
level=warning msg="no pods found with label \"sonobuoy-component=aggregator\" in namespace cis-operator-system"
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""
level=warning msg="no pods found with label \"sonobuoy-component=aggregator\" in namespace cis-operator-system"
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""
level=warning msg="no pods found with label \"sonobuoy-component=aggregator\" in namespace cis-operator-system"
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""
level=warning msg="no pods found with label \"sonobuoy-component=aggregator\" in namespace cis-operator-system"
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""
level=warning msg="no pods found with label \"sonobuoy-component=aggregator\" in namespace cis-operator-system"
level=warning msg="retrying with deprecated label \"run=sonobuoy-master\""

To Reproduce

  • Provision a k3s v1.24.8+k3s1 cluster(1-cp, 1-etcd, 1-w).
  • Install CIS chart version 2.1.1-rc1
  • Run k3s-cis-1.23-profile scans.

Result

  • Scan gets stuck into running state for around 25 mins before it gets completed. k3s-long

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 22 (20 by maintainers)

Most upvoted comments

@prachidamle the fix was made available in the new version. The older release will always be affected by that issue.

+1
brandond on Mar 28, 2023
Read more comments on GitHub
← rancher: [BUG] Certs and directory /var/lib/rancher/rke2/server/tls/kube-scheduler and /var/lib/rancher/rke2/server/tls/kube-controller-manager missing
rancher: Bug: coredns-autoscaler needs readiness and liveness check →